CISA warns of critical Honeywell CCTV vulnerability (CVSS 9.8) allowing unauthorized access. Figure fintech breach exposes nearly 1 million accounts via social engineering. Four VS Code extensions with 125M+ downloads contain critical flaws. Microsoft Copilot bug bypasses DLP policies since January.
CISA is warning of a critical vulnerability in multiple Honeywell CCTV products used in critical infrastructure. Attackers can hijack accounts and access camera feeds without authentication.
Discovered by researcher Souvik Kanda, CVE-2026-1670 is classified as "missing authentication for critical function." The flaw allows an unauthenticated attacker to change the recovery email address associated with a device account, enabling complete account takeover.
| Model | Firmware Version |
|---|---|
| I-HIB2PI-UL 2MP IP | 6.1.22.1216 |
| SMB NDAA MVO-3 | WDR_2MP_32M_PTZ_v2.0 |
| PTZ WDR 2MP 32M | WDR_2MP_32M_PTZ_v2.0 |
| 25M IPC | WDR_2MP_32M_PTZ_v2.0 |
These NDAA-compliant cameras are deployed in U.S. government agencies, federal contractors, and critical facilities. CISA recommends:
Blockchain-native fintech company Figure Technology Solutions suffered a breach affecting nearly 1 million accounts. The attack was executed via social engineering.
Figure, which has unlocked over $22 billion in home equity with 250+ partners including banks, credit unions, and fintechs, confirmed the incident to TechCrunch. The attackers used voice phishing (vishing) to trick an employee into providing access.
The ShinyHunters extortion group leaked 2.5GB of data from thousands of loan applicants on their dark web site. This is part of a larger campaign targeting SSO accounts at Okta, Microsoft, and Google across 100+ high-profile organizations.
Attackers impersonate IT support, call employees, and trick them into entering credentials and MFA codes on phishing sites that impersonate company login portals. Once in, they gain access to connected enterprise applications including Salesforce, Microsoft 365, Google Workspace, Slack, and Dropbox.
OX Security researchers discovered multiple vulnerabilities in four popular VS Code extensions. Three CVEs remain unpatched.
"A hacker needs only one malicious extension, or a single vulnerability within one extension, to perform lateral movement and compromise entire organizations," the researchers warned.
| CVE | Extension | CVSS | Impact |
|---|---|---|---|
| CVE-2025-65717 | Live Server | 9.1 | Local file exfiltration via malicious website |
| CVE-2025-65716 | Markdown Preview Enhanced | 8.8 | Arbitrary JavaScript execution via .md file |
| CVE-2025-65715 | Code Runner | 7.8 | Arbitrary code execution via settings.json |
| — | Microsoft Live Preview | — | Sensitive file exfiltration (fixed in v0.4.16) |
A Microsoft 365 Copilot bug has been causing the AI assistant to summarize confidential emails, bypassing data loss prevention (DLP) policies that protect sensitive information.
Tracked as CW1226324, this bug affects the Copilot "work tab" chat feature. It incorrectly reads and summarizes emails in Sent Items and Drafts folders — including messages with confidentiality labels explicitly designed to restrict access by automated tools.
Microsoft stated: "This did not provide anyone access to information they weren't already authorized to see... A configuration update has been deployed worldwide for enterprise customers."
Review Copilot activity logs for the period since January 21. Verify that sensitivity-labeled content wasn't inadvertently included in Copilot summaries shared beyond intended recipients.
Texas sued TP-Link Systems, accusing the company of deceptively marketing routers as secure while allowing Chinese state-backed hackers to exploit firmware vulnerabilities.
651 arrests across 16 African countries. Recovered over $4.3 million. Operation targeted investment fraud, mobile money scams, and fraudulent loan apps linked to $45 million in losses.
ESET discovered Android malware that uses Google's Gemini AI to maintain persistence. The malware leverages generative AI to analyze screens and generate step-by-step instructions to keep itself pinned in recent apps.
Sentenced for hacking multiple tax preparation firms in Massachusetts and filing fraudulent returns seeking over $8.1 million in refunds.
| Metric | Value |
|---|---|
| Figure breach accounts affected | 967,200 |
| Honeywell CVE severity (CVSS) | 9.8 |
| VS Code extension downloads at risk | 125M+ |
| Copilot DLP bypass duration | ~30 days |
| INTERPOL arrests (Op Red Card 2.0) | 651 |
| Organizations targeted by ShinyHunters | 100+ |
AI-powered vulnerability management with 333,000+ CVEs indexed.
Start Free ScanStay secure. Stay vigilant.
🗡️ KENSAI Security Team